Store cluster's Service CIDR to Multi-cluster Gateway's fields #4737
Conversation
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
from
a30d513
to
f19be84
Compare
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
from
f19be84
to
d6352b0
Compare
| oldGateway := gatewayList.Items[0] | ||
| if oldGateway.ServiceCIDR != gateway.ServiceCIDR { |
There was a problem hiding this comment.
This is not correct, you should compare the req.OldObject and req.Object's ServiceCIDR instead of comparing gatewayList.Items[0]'s CIDR with current Gateway's.
There was a problem hiding this comment.
@luolanzone : I do not understand why we need these checks if Gateway is created by MC Controller. The webhook is generally for validating user intents?
If the goal is to prevent users from modifying the object, we should just check that, and ideally override user changes at controller restart.
There was a problem hiding this comment.
Yeah, I think the purpose is to prevent users to modify the field. @jianjuns do you mean not to add validation on webhook but check the field and override the change in node_controller?
There was a problem hiding this comment.
Ideally MC Controller should check and override changes. But first it makes no sense to validate particular fields here. If we want to prevent modification from users, can we just check the identity?
There was a problem hiding this comment.
Good point, @hjiajing could you refine this part? Thanks.
There was a problem hiding this comment.
Sure, I will refine this part.
There was a problem hiding this comment.
Now the controller will check the SA if the verb is "update"
multicluster/controllers/multicluster/member/node_controller.go
Outdated
Show resolved
Hide resolved
multicluster/controllers/multicluster/member/gateway_controller.go
Outdated
Show resolved
Hide resolved
|
@hjiajing please add commit message to your commit to clarify the change. |
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
from
d6352b0
to
f343578
Compare
|
@luolanzone Added, thanks for the reminder. |
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
2 times, most recently
from
9152047
to
999a16d
Compare
| klog.ErrorS(err, "Error getting ServiceAccount name", "Gateway", req.Namespace+"/"+req.Name) | ||
| return admission.Errored(http.StatusBadRequest, err) | ||
| } | ||
| if saName != mcControllerSAName && isServiceCIDRChanged(oldGateway, gateway) { |
There was a problem hiding this comment.
Again, no need to check individual fields. Just check only MC Controller can update the Gateway spec.
There was a problem hiding this comment.
Done. Removed the field check.
| @@ -116,12 +119,16 @@ func (r *NodeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl. | |||
| var isValidGateway bool | |||
|
|
|||
| if stillGatewayNode { | |||
| gw.ServiceCIDR, err = r.getServiceCIDR() | |||
There was a problem hiding this comment.
I think we should discover ServiceCIDR in NewNodeReconciler() or maybe SetupWithManager(). @luolanzone?
There was a problem hiding this comment.
A NodeReconciler without ServiceCIDR is invalid, it does not make sense to reconcile gateways, so I moved the getServiceCIDR step to SetupWithManager func.
multicluster/controllers/multicluster/member/gateway_controller.go
Outdated
Show resolved
Hide resolved
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
4 times, most recently
from
1d39bac
to
f55c326
Compare
| return admission.Errored(http.StatusBadRequest, err) | ||
| } | ||
| if saName != mcControllerSAName { | ||
| return admission.Errored(http.StatusPreconditionFailed, fmt.Errorf("ServiceCIDR can only be updated by Antrea Multi-cluster Controller")) |
There was a problem hiding this comment.
You are not comparing ServiceCIDR, so better to say Gateway can only be updated by Antrea Multi-cluster Controller
There was a problem hiding this comment.
Fixed. Removed the ServiceAccount to the above of the Operation check. Now only SA is "antrea-mc-controller" could create or update Gateway.
multicluster/controllers/multicluster/member/node_controller.go
Outdated
Show resolved
Hide resolved
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
2 times, most recently
from
77356b3
to
92359f2
Compare
| klog.ErrorS(err, "Error getting ServiceAccount name", "Gateway", req.Namespace+"/"+req.Name) | ||
| return admission.Errored(http.StatusBadRequest, err) | ||
| } | ||
| if saName != mcControllerSAName { |
There was a problem hiding this comment.
We should at least allow other users to get Gateway right?
There was a problem hiding this comment.
We defined a Gateway webhook to validate the operation for CREATE/UPDATE, it has no impact to GET.
There was a problem hiding this comment.
An operation check is added above the SA check. Now only "antrea-mc-controller" could update or create Gateways, but other users could also get Gateways. Two more unit test cases were added.
| } | ||
| if saName != mcControllerSAName { | ||
| return admission.Errored(http.StatusPreconditionFailed, fmt.Errorf("Gateway can only be created or updated by Antrea Multi-cluster Controller")) | ||
| } | ||
| // Check if there is any existing Gateway. | ||
| gatewayList := &mcv1alpha1.GatewayList{} |
There was a problem hiding this comment.
If we check only MC Controller can create Gateways, even this check is not necessary? @luolanzone
There was a problem hiding this comment.
Yeah, I feel we can remove this.
There was a problem hiding this comment.
The "unique Gateway" check is removed, as well as the unit test.
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
2 times, most recently
from
533934c
to
0a044ac
Compare
In order to keep Service CIDR in antrea-mc-controller and antrea-agent consistent, the node controller will store the Service CIDR to Gateway's field. When the Service CIDR is used in antrea-agent, controllers could get the Service CIDR in Multi-cluster Gateway. Signed-off-by: hjiajing <hjiajing@vmware.com>
hjiajing
force-pushed
the
gateway-serviceCIDR
branch
from
0a044ac
to
3ea1da6
Compare
|
/test-multicluster-e2e |
In order to keep Service CIDR in antrea-mc-controller and antrea-agent consistent, the node controller will store the Service CIDR to Gateway's field. When the Service CIDR is used in antrea-agent, controllers could get the Service CIDR in Multi-cluster Gateway. Signed-off-by: hjiajing <hjiajing@vmware.com>
Add a new field named
serviceCIDRto store the local cluster Service CIDR in Multi-cluster Gateway. So that theantrea-agentcould get the Service CIDR from a Gateway, which makes the Service CIDR inantrea-agentandantrea-mc-controllerconsistent.